Microsoft Cloud Authors: Pat Romanski, Andreas Grabner, Nick Basinger, Kevin Benedict, Liz McMillan

Related Topics: Microsoft Cloud, Microservices Expo, Containers Expo Blog, Cloud Security

Microsoft Cloud: Tutorial

RDP Exploitation Using Cain

Cain has the ability to do a man in the middle attack against the RDP “Remote Desktop Protocol”

The Microsoft Remote Desktop Protocol (RDP) provides remote display and input capabilities over network connections for Windows-based applications running on a server.  RDP is designed to support different types of network topologies and multiple LAN protocols.  Remote Desktop Services formerly know as Terminal Services on Windows 2000 Server allow a server to host multiple, simultaneous client sessions.  Remote Desktop uses Remote Desktop Services technology to allow a single session to run remotely.  Thus a user can connect to a Remote Desktop Session Host server by using Remote Desktop Connection (RDC) client software.

Cain has the ability to do a man in the middle attack against the RDP “Remote Desktop Protocol”.  Cain is compiled using Microsoft Visual C++ and linked as a single executable file named “Cain.exe”.  Developed with a simple Windows graphical user interface, its main purpose is to concentrate several hacking techniques and proof of concepts providing a simplified tool focused on the recovery of passwords and authentication credentials from various sources.

Windows 2008 R2 has added some remote desktop services to its server such as RemoteApp, RD gateway, and RD Visualization Host.  The windows server role now provides increased flexibility to deploy individual applications or full desktops via RDS or a VDI solution.  The following is a list of Windows 2008 R2 individual applications that are available to users over the Remote Desktop Protocol (RDP).

  1. Remote Desktop Virtualization
  2. Remote Desktop IP Virtualization
  3. RDP & Remote Desktop Connection version 7.0
  4. Fair Share CPU scheduling
  5. Windows Installer compatibility
  6. True multiple monitor support for up to 16 monitors
  7. RDS Provider for PowerShell

With these new improvements the door is open for potential security issues depending on how you deploy RDS.  So RDS included a number of security mechanisms to help make RD connections more secure such as Network Level Authentication (NLA), Transport Layer Security (TLS), Group Policy, RD Web Access, and RD Gateway. 

NLA requires that the user be authenticated to the RD Session Host server before a session is created.  This helps protect the remote computer from malicious users and malware.  The client computer must be at Windows XP service pack 3 or above to use NLA.  Transport Layer Security (TLS) can use one of three security layers for protecting communications between the client and the RDS Session Host server:

  • RDP security layer – uses native RDP encryption and is least secure
  • Negotiate – TLS 1.0 (SSL) encryption used if the client supports it
  • SSL – TLS 1.0 encryption will be used for server authentication and encryption of data sent between the client and Session Host server.  This is the most secure.  You will need a digital certificate, which can be issued by a CA or self-signed.

This security can be all for not with some lax controls and an effective formidable foe using Cain on your network segment.  Cain runs on windows machines (Windows 9x & Windows NT/2000/XP) below is a screenshot of the interface. (see figure #1)

In this tutorial I have Cain running on a Windows XP machine and placed in the same network segment as a Windows 7 machine that is communicating with a Windows 2008 R2 server.  Below is a list of the IP address assignments.

Figure 1: Cain screenshot

Windows 7                
Windows XP (Attacker)
Windows 2008 R2   

When you fire up Cain you will be given a gui interface with a list of decoders, network, sniffer, cracker, traceroute, CCDU, wireless, and query tabulated across the top.  The first thing you want to do is select you interface by clicking on the sniffer icon at the top.  If you have more than one interface then you need to select the appropriate interface for your work.  This will start the sniffer and allow you to see what devices are available on the network segment (see Figure #2). 

Next you can select what devices you would like to sniff traffic to and from (see Figure #3).  Now you are ready to arp poison the network segment between your Windows 7 and Windows 2008 R2 Server by clicking on the radioactive button you will notice the status will change from idle to poisoning (see Figure #4).

Figure 2: Devices available on network segment

Now that the attack is set we need to go to our Windows 7 client and RDP into our Windows 2008 R2 server.  Now if you are doing this on a recent installation of Windows 2008 R2 server than you will have no problems within the first 120 days.  After that the grace period is over and a license server needs to be installed and activated.  But if your company is like most that I have worked for then money is tight and if there is a way found to get around purchasing a license all the better.  A Client Access License (CAL) is required for each client requiring access to Windows Server 2008 Terminal Services.  Once installed you can utilize the features I listed above to secure your RDP sessions.  But if your like most organizations you can always find a way around this license requirement.

Figure 3: Select devices you want to sniff traffic to and from

When you try connecting to the Windows 2008 R2 Server after the 120 day grace period via RDP you will get this error message if you don't have your Client Access License setup and configured (see Figure #5).

Figure 4: Status change from idle to poisoning

Figure 5: Error message

The remote session was disconnected because there are no Remote Desktop License Servers available to provide a license.  Please contract the server administrator.  Now when the client in this case the Windows 7 machine – connects to an RD Session Host server it determines if an RDS CAL is needed.  The server then request an RDS CAL from a Remote Desktop license server on behalf of the client (Windows 7) and issued to the client and able to connect to the RD Session Host server (Windows 2008 R2).  But windows allows for 2 RDP sessions to the host machine even without the license server.  Network Administrators who do maintenance on servers (ie check status, run updates, etc) can RDP in  with the admin command like so: mstsc /v: IP_or_hostname /admin

Make sure there is a space after the IP address and before the /admin.  Many Network Administrators using this function disregard the identity of the remote computer warning message and connect anyway. (see Figure #6)

Figure 6: mstsc command and RDP warning message

Now we can connect from our Windows 7 client to our Windows 2008 R2 Server using RDP (see Figure # 7).

Figure 7: RDP login screen

Once we are provide the login information and password we are given access to our Windows 2008 R2 Server (see Figure #8).  Now lets go back and see what information Cain has saved for us running on our attack machine Windows XP (see Figure #9)

Figure 8:  Administrator Desktop of Windows 2008 Server R2

Figure 9: Files saved in ARP RDP (2)

This file that is saved pulls out keystrokes from the decrypted log file made by Cain and you can do this by hand or you can get the script by Adrian Crenshaw owner of irongeek.com.  The script is written in AutoIt v3 and works quite well.  Here is a screenshot of the parsed file run through Adrian's script (see Figure #10).

Figure 10: log parsed with Adrian's script

References on the Web:


Let pbnetworks get your pen test on target

Visit us and learn how http://pbnetworks.net
How secure is your network?

More Stories By David Dodd

David J. Dodd is currently in the United States and holds a current 'Top Secret' DoD Clearance and is available for consulting on various Information Assurance projects. A former U.S. Marine with Avionics background in Electronic Countermeasures Systems. David has given talks at the San Diego Regional Security Conference and SDISSA, is a member of InfraGard, and contributes to Secure our eCity http://securingourecity.org. He works for Xerox as Information Security Officer City of San Diego & pbnetworks Inc. http://pbnetworks.net a Service Disabled Veteran Owned Small Business (SDVOSB) located in San Diego, CA and can be contacted by emailing: dave at pbnetworks.net.

IoT & Smart Cities Stories
Moroccanoil®, the global leader in oil-infused beauty, is thrilled to announce the NEW Moroccanoil Color Depositing Masks, a collection of dual-benefit hair masks that deposit pure pigments while providing the treatment benefits of a deep conditioning mask. The collection consists of seven curated shades for commitment-free, beautifully-colored hair that looks and feels healthy.
The textured-hair category is inarguably the hottest in the haircare space today. This has been driven by the proliferation of founder brands started by curly and coily consumers and savvy consumers who increasingly want products specifically for their texture type. This trend is underscored by the latest insights from NaturallyCurly's 2018 TextureTrends report, released today. According to the 2018 TextureTrends Report, more than 80 percent of women with curly and coily hair say they purcha...
The textured-hair category is inarguably the hottest in the haircare space today. This has been driven by the proliferation of founder brands started by curly and coily consumers and savvy consumers who increasingly want products specifically for their texture type. This trend is underscored by the latest insights from NaturallyCurly's 2018 TextureTrends report, released today. According to the 2018 TextureTrends Report, more than 80 percent of women with curly and coily hair say they purcha...
We all love the many benefits of natural plant oils, used as a deap treatment before shampooing, at home or at the beach, but is there an all-in-one solution for everyday intensive nutrition and modern styling?I am passionate about the benefits of natural extracts with tried-and-tested results, which I have used to develop my own brand (lemon for its acid ph, wheat germ for its fortifying action…). I wanted a product which combined caring and styling effects, and which could be used after shampo...
The platform combines the strengths of Singtel's extensive, intelligent network capabilities with Microsoft's cloud expertise to create a unique solution that sets new standards for IoT applications," said Mr Diomedes Kastanis, Head of IoT at Singtel. "Our solution provides speed, transparency and flexibility, paving the way for a more pervasive use of IoT to accelerate enterprises' digitalisation efforts. AI-powered intelligent connectivity over Microsoft Azure will be the fastest connected pat...
There are many examples of disruption in consumer space – Uber disrupting the cab industry, Airbnb disrupting the hospitality industry and so on; but have you wondered who is disrupting support and operations? AISERA helps make businesses and customers successful by offering consumer-like user experience for support and operations. We have built the world’s first AI-driven IT / HR / Cloud / Customer Support and Operations solution.
Codete accelerates their clients growth through technological expertise and experience. Codite team works with organizations to meet the challenges that digitalization presents. Their clients include digital start-ups as well as established enterprises in the IT industry. To stay competitive in a highly innovative IT industry, strong R&D departments and bold spin-off initiatives is a must. Codete Data Science and Software Architects teams help corporate clients to stay up to date with the mod...
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
Druva is the global leader in Cloud Data Protection and Management, delivering the industry's first data management-as-a-service solution that aggregates data from endpoints, servers and cloud applications and leverages the public cloud to offer a single pane of glass to enable data protection, governance and intelligence-dramatically increasing the availability and visibility of business critical information, while reducing the risk, cost and complexity of managing and protecting it. Druva's...
BMC has unmatched experience in IT management, supporting 92 of the Forbes Global 100, and earning recognition as an ITSM Gartner Magic Quadrant Leader for five years running. Our solutions offer speed, agility, and efficiency to tackle business challenges in the areas of service management, automation, operations, and the mainframe.